I am trying to limit the events returned or number of alerts triggered at the same time or within 5 seconds if the filed "logon_type" shows same in all events.
I want to check that condition if that meets , i.e Logon_Type="!7" within 5 seconds, trigger the alert once regardless of however many kicks in. So, For example, If the logon type is 3 then only one event should show.
EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
It shows multiple events with login type 3 when i rdp into a server . i want to limit that to 1. How can i do that?
Have you thought about doing it through a single alert? For example , say logon type 3 occurs 2 times during a 5 second interval and log on type 4 occurs once within the same 5 second interval, your single alert should contain a result with column header (say logon_type) with 2 row entries 1 each for types 3 and 4.
Without looking at your alert search it could be something like this - |where Logon_Type !="7" | dedup Logon_Type| table _time,Logon_Type
IT works thanks however, i keep getting one email of logon type 3 every few minutes (not constant , 10 min , 20 min) while i am rdp into the server and not doing anything just logged in basically. how do i stop that concurrent emails as i need one email only when i use my login credential initially. Thanks again!
Hi that is more of your alert search issue...we need to look at your events and see what search you are executing to generate the alert
EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| dedup Logon_Type
This is what is am trying to execute because i want to be alerted when my admin account (.a) is used. When i log in to the server and stay in and do nothing , the event triggers every 5 to 20 minutes on logon type 3 that i dont want, as i want to be alerted only once
For example, if my .a account is used to run a script that would create another .a account without actually logging in or RDP in to the sever, i should be alerted once with logon type 3. Therefore, i put where clause on logon type 3 if there is no preceding logon type 2 or 10.
Please advise!
Your question is very unclear but there is a throttling mechanism in the save
dialog that has many options, including checking recent field values. If you need more direct control, you can add | outputlookup alert_tracking.csv
and save this as a simple report and have another search which is the actual alert start with |inputlookup alert_tracking.csv
followed by the throttling logic that you need.
Thanks for you response but am looking for what i mentioned in above comment with sukisen. I appreciate your response though!